oN 


CALIFORNIA STATE UNIVERSITY California State University, San Bernardino 
SAN BERNARDINO 
CSUSB ScholarWorks 
Electronic Theses, Projects, and Dissertations Office of Graduate Studies 
5-2022 


LATTICE REDUCTION ALGORITHMS 


Juan Ortega 


Follow this and additional works at: https://scholarworks.lib.csusb.edu/etd 


G Part of the Algebra Commons, Algebraic Geometry Commons, and the Analysis Commons 


Recommended Citation 

Ortega, Juan, "LATTICE REDUCTION ALGORITHMS" (2022). Electronic Theses, Projects, and 
Dissertations. 1436. 

https://scholarworks.lib.csusb.edu/etd/1436 


This Thesis is brought to you for free and open access by the Office of Graduate Studies at CSUSB ScholarWorks. It 
has been accepted for inclusion in Electronic Theses, Projects, and Dissertations by an authorized administrator of 
CSUSB ScholarWorks. For more information, please contact scholarworks@csusb.edu. 


LATTICE REDUCTION ALGORITHMS 


A Thesis 
Presented to the 
Faculty of 
California State University, 


San Bernardino 


In Partial Fulfillment 
of the Requirements for the Degree 


Master of Arts 


Mathematics 


by 
Juan C Ortega 


May 2022 


LATTICE REDUCTION ALGORITHMS 


A Thesis 
Presented to the 
Faculty of 
California State University, 


San Bernardino 


by 
Juan C Ortega 
May 2022 

Approved by: 
Dr. Jeffrey S. Meyer, Committee Chair 
Dr. Youngsu Kim, Committee Member 
Dr. Bronson Lim, Committee Member 

Dr. Madeleine Jetter, Chair, Department of Mathematics 


Dr. Corey Dunn, Graduate Coordinator 


ii 


ABSTRACT 


The purpose of this thesis is to propose and analyze an algorithm that follows 
similar steps of Guassian Lattice Reduction Algorithm in two-dimensions and applying 
them to three-dimensions. We start off by discussing the importance of cryptography in 
our day to day lives. Then we dive into some linear algebra and discuss specific topics that 
will later help us in understanding lattice reduction algorithms. We discuss two lattice 
problems: the shortest vector problem and the closest vector problem. Then we introduce 
two types of lattice reduction algorithms: Guassian Lattice Reduction in two-dimensions 
and the LLL Algortihm. We illustrate how both algorithms can provide solutions to the 
shortest vector problem and closest vector problem. Afterwards, we use an application 
of a cryptosystem, GGH and show how one could break this cryptosystem using lattice 
reduction algorithms. 

Finally, we propose and analyze a new algorithm that applies the principles of 
Gaussian Lattice Reduction Algorithm in two-dimensions. We provide an original proof of 
this algorithm outputting a shortest vector in a given lattice L € R°. We state a conjecture 
about the termination of the algorithm. Then we analyze this new algorithm and compare 
it the LLL Algorithm and Gaussian Lattice reduction Algorithm in two-dimensions. We 
provide examples of different three-dimensional lattices. We then summarize the overall 


paper and discuss potential research in the near future. 


ACKNOWLEDGEMENTS 


First, I like to thank God. Second, I like to thank my advisor, Dr. Meyer, for all 
his help and support throughout this thesis. Next, I like to thank my committee members, 
Dr. Kim and Dr. Lim, for their comments on my thesis. Thank you for the feedback 
and clarifications. Lastly, I would like to thank my family and friends for supporting me 


throughout this academic journey. 


Table of Contents 


Abstract 
Acknowledgements 
List of Figures 


1 Introduction 
1.1 Public Key Cryptosystems... 2... 20.20.0200 00 eee ee 


2 Background 


Del SBOSeS 2 notee: Sa Ae le eee cla heal et les a ea ee ee 
2:2 WattiGess +3 2.0. hb: Pee bo ee ee el ea ES oe ed 
2.3 Length and Inner product ..........0. 0.000002 eee eee 
2.4 Lattice Problems ............ 0.0 eee ee ee 
2.5 Lattice Reduction Algorithms ................. 0.202000 4 
2.5.1 Gaussian Lattice Reduction Algorithm ................ 
2.5.2) bb EcAleorithii as: ie ens 2 oa Se Ei eed Mae aie OS 
2:6 SROuNdING 2: S.A Py aad Road edt ae hae he Ree ee 
3 Applications to Cryptography 
3.1 GGH Cryptosystem .. 2... 2... ee 
4 GLRA in Higher Dimensions 
Avl) “ThevAlgorithiny 20. hce A ak, en RB ee he A ae ee Be tee 
AD Anial ysis: io a: ho4 Geo segs AOS, ee SA a Bh te ea ek 
ALS: “Foxaimiples> «2.4.6 ¢: Pose we ke eg Bo ee ee AO ee ae a es 


5 Conclusion 


Bibliography 


iii 


vi 


vi 


List of Figures 


2.1 
22 
2.3 


2.4 


2.5 
2.6 
2.7 
2.8 
2.9 
2.10 
2.11 


2.12 


2.13 


2.14 


2.15 


4.1 
4.2 


MechOr Addition itty) di 0 tte iy doen, die oe Be wate oo tke, de ts) 
Wedbor Scalame inti on oe Ae Se el Pn og a 6 
AD ABCC IR ie okt ele Re ew ay Spee chs wotts a Rgvacet © poh Genet uy De: Bones 11 
Basis B : ‘ : : Saint wie eta Sager pane getty ee satel dae ae US ate 16 
: 7 8 

Basis C : A ; Hi ee AR geass Go te dh aca Rinne ine Seine te ete & 16 
Sum of two vectors via “tip-to-tail.” 2... 0... ee ee ee 18 
VECLOLS: Us eS VE eee be ete Rite Oe 2, Qh gee Ba Bees oe 8 19 
A lattice CL with fundamental domain F(u,v). ...........-0040.% 21 
Minkowski’s Theorem applied in R? .............. 0000004 24 
Proposition 2:5:3) ...4. cee ee Re ee ee Re 30 
” ” ae 3 5 

Bad” Basis: ; : Pe St ands ae Meth ares, eta Ane tae 2 Ae a 36 


1 —1 3 
GY ah sea este ate cet wh haere rcanet cx Sense ee dhe en te ek eel et ae re a AL 
UL 2 6 
”Good” Basis: 
0 1 —1 
1) lls ll FO Ne. ose nies Ge Stnmsintn BRS ee ie lee doe akana eek Ge Ged 41 
0 1 2 
Visual of points wandvé Ll... 2... 45 
Critical Liner ot f ise 2 1eGsn e ane bd ee 6 oe Pode Gee irk ek 61 


Paraboloid Off v3.24 sede ge Scein OE tea he dee ee he ot os 61 


Vii 


4.3 Eigenspacesof fo... 1... ee 61 
0 —1 —2 

4.4 Mp: | Oe ep] Oe Re. se dace Gh es oe eek wm Boel ahs Us BLS aA 65 
—1 1 


Chapter 1 


Introduction 


Throughout human existence, here have been many advances in the way mes- 
sages are sent and received. One of the most improved ways to send messages is through 
the internet, through which we may send instantaneous messages to whomever around 
the world at any given time. Then to expand on this idea we created different platforms 
for a variety of things like online shopping, researching online, paying bills, checking bank 
statements, etc. This data needed to be protected. So with this we had to come up with 
some kind of security to protect our online data. This lead to the idea of public key 


cryptosystems. 


1.1 Public Key Cryptosystems 


A public key cryptosystem is a cryptographic system that utilizes a pair of keys. 
The pair of keys are the public key, which anyone is allowed to see, and the private key, 
which is not shared with anyone (including among the fellow messengers). This public 
key is used to encrypt messages sent out into the world. The public encrypted message 
can then be decrypted by the receiver using the private key. Now the cryptosystem works 
only if the two persons who are exchanging information are using the same cryptographic 
algorithms. 

There have been several cryptosystems used for the protection of online data. 
RSA is one of the first public key cryptosystems, and is based upon the factorization 
of extremely large coprime numbers. It was created by Ronald L. Rivest, Adi Shamir 


and Leonard M. Adleman. To have a better understanding of how RSA works, refer to 


Chapter 3 Section 2 in An Introduction to Mathematical Cryptography [HPS16]. Another 
well known public key cryptosystem is the Diffie-Hellman Key Exchange. The algorithm 
was created by Whitfield Diffie and Martin Hellman. It is another way for two individuals 
to send encrypted messages to one another but uses the Discrete Logarithm Problem 
(DLP). For more insight on DLP and Diffie-Hellman please refer to Chapter 2 Sections 2 
and 3 in An Introduction to Mathematical Cryptography [HPS16]. Then we have Elliptic 
Curve Cryptography (ECC) which uses elliptic curves in familiar public key cryptosystems 
like Diffie-Hellman Key Exchange. The idea behind ECC was to create smaller keys but 
yet providing the same level of security as RSA-based keys. For a deeper look into ECC 
please refer to Chapter 6 Sections 1-4 and Section 6 in An Introduction to Mathematical 
Cryptography [HPS16]. 

A major issue with these public key cryptosystems is that they have been around 
for a while now and there exists an algorithm that can break these cryptosystems called 
Shor’s Algorithm. However, Shor’s algorithm is ahead of its time since it is a quantum 
algorithm. Our current non-quantum computers cannot implement Shor’s algorithm since 
part of Shor’s Algorithm relies on quantum computing. Full quantum computers do not 
yet exist but pose a threat to cybersecurity. This brings up the question, “Does there 
exist some kind of quantum resistant cryptosystem?” People have been working on new 
types of cryptosystems that promise to be quantum-resistant. 

The goal of the Post-Quantum Standardization project is to develop post- 
quantum cryptosystems that can provide security against quantum and non-quantum 
computers while also being able to work with the communication protocols and net- 
works. The development of quantum computers was first believed to be an impossibility, 
but after further research, scientists believe that physically creating a quantum computer 
is within the realm of possibility. It is necessary for us to be able to understand these 
post-quantum cryptosystems and be able to not only test the limits but branch out and 
discover new ways to protect our data. Improving on these methods and providing bet- 
ter security such that when these quantum computers come into existence, we will have 
post-quantum cryptosystems already in place. Potential candidates for this cybersecurity 
problem are lattice based cryptosystems. 

The lattice based cryptosystem NTRU is one potential candidate that may prove 


to be quantum resistant and is currently being put to the test for any feasible way to break 


the security of the algorithm. A lattice based cryptosystem is a public key cryptosystem 
but differs from the other cryptosystems mentioned earlier in this paper. Lattice based 
cryptosystems rely on hard lattice problems (see Section 2.4), while the other algorithms 
are based on prime factorization, discrete log problem, and elliptic curve discrete log 
problem. Two such lattice problems in lattice based cryptosystems are the shortest 
vector problem and the closest vector problem. We will go in more detail in regards 
to these two problems later in Section 2.4. NTRU has proven to be resistant to Shor’s 
Algorithm [MVZJ18}. 

NTRU became a finalist in the Post-Quantum Standardization project held by 
the National Institute of Standards and Technology (NIST). NIST was founded in 1901 
and became a part of the U.S. Department of Commerce. NIST is essentially a measuring 
infrastructure that was created to help with U.S. industrial challenges. NIST helped with 
technological innovation and worked with other companies not only in the U.S. but also 
around the world. If you can think of any type of technological advancement, such as the 
atomic clock, computer chips, etc., then NIST was involved with that project. 

The strength of lattice based cryptosystems are hard lattice problems. Hard 
lattice problems can be solved using certain algorithms called lattice reduction algorithms 
(see Section 2.5). Lattice reduction algorithms find solutions for hard lattice problems. 
The better (i.e. faster) the lattice reduction algorithm the more vulnerable the latice 
based cryptosystems. In this thesis, we analyze lattice reduction algorithms and propose 


our own. 


Chapter 2 


Background 


In this chapter we will be going over some mathematical concepts that are used 
in cryptography. We will be primarily be focusing on material from linear algebra and 
its applications. We will first talk about bases then move onto lattices. Then we will talk 
about vector length and inner product. We will then finish the chapter by talking about 


lattice problems. 


2.1 Bases 


To start off let us review some essential definitions and concepts from linear algebra. 
We will start by talking about vector spaces and for cryptographic purposes, the vector 


spaces we will be discussing are R” for some positive integer n. 


Definition 2.1.1. R” is the set of length n lists of real numbers. Elements in R” are 


called vectors and elements in R are called scalars. 


Notation. We write lists as columns and use bold letters for vectors and unbolded for 


scalars. We will use the corresponding letters for both, e.g. 


Definition 2.1.2. Vector Addition: If u,v € R”, then 


t UY 


t U2 


el [od fo 


Let us look at an example of vector addition in 


Example 2.1.3. Let u,v € R? and let u= and v = 
1 9 14+9 
5 3 5+3 


| 
| 
; 


9 
. Then 
3 


10 
8 


Below in Figure 2.1 we can visualize Example 2.1.3 via “tip-to-tail” vector ad- 


dition, creating a parallelogram. The diagonal is the sum. 


(10, 8) 


10 11 12 
Figure 2.1: Vector Addition in R?. 
U1 cul 
U2 cug 
Definition 2.1.4. Vector Scaling: If u € R” and c € R, then cu=c.- = 
Un CUn 


Now let us look at an example of vector scaling. 


1 
Example 2.1.5. Let u € R? and u= and let c = 2. Then 
1 


Figure 2.2: Vector Scaling in R?. 


pressed in R? geometrically can show how a vector can be stretched or compressed by 
some scalar. Notice from Example 2.1.5 that the scaled vector cu is going in the same 


direction as the vector u. 


Remark 2.1.6. A vector space is closed under vector addition and vector scaling. This 
means that for any two vectors u and v in the vector space, R”, the sum u+ v € R”. 


For any vector u € R” and for any c € R, then the scalar cu € R”. 


Definition 2.1.7. A linear combination of v,, vo,..., vz € R” is any vector of the 


form 


W = 41V1 + Gove +--- + aRVe with aj,...,a, € R. 


2 
Example 2.1.8. Let vector w = € R? and let vectors v; = ,v2= E R?. 


Then we can express the vector w as a linear combination of vectors v; and v2 with 


scalars ay = 2 and ag = 3 respectfully. 


W = Q1V1 + G2V2 


1 0 
=2 +3 
0 1 

2} Jo 
=| | + 

Oi? 8 

2 

3 


Expressing a vector as a linear combination may not be so difficult given we have all the 
information we need like in Example 2.1.8, but what if we had a given pair of vectors, 
say v, and vg, and we wanted to know if a vector w is a linear combination of v; and 
v2? To do this we need to determine if there exist scalars a,,a2 € R such that we can 
express W as G1 Vj + Gove. If we write out the equation 

Vi V12 


aj,V, + GgV2 = ay + ag ; (2.1) 
U21 U22 


We know based on how vector addition works from Definition 2.1.2, we can rewrite the 


equation a,v1 + a2Vv2 = w as 


ajvyt + agvuig = wi (2.2) 


Q1V21 + QoQv99 = We 


We have here our system of equations. The system of equations can be further expressed 
as a matrix. We can reframe (2.2) as a 2 x 3 matrix removing the variables a, and ag 


and replacing the =’s with a vertical line such that we get the augmented matrix 


Vil V12 WI (2 3) 


V21 =(V22 W2 


All we do from here is solve for the augmented matrix with the vector coefficients. This 


is where the concept of row operations comes into play. 


Definition 2.1.9. There are three row operations: 
1. Permute rows 7 and j; denoted as rj © 1;. 
2. Scale row i by nonzero scalar k; denoted as kr; > r;. 


3. Add a scalar multiple of row 7 to row j; denoted as kr; +17; > rj. 


2 1 
Example 2.1.10. Suppose we have vectors v; = and v2 = and we wanted 
1 


12 
to know if a vector w = is a linear combination of vj and v2. So we can express 


this as a linear equation 


1 —1 29 


Then we start by writing the augmented matrix and solve it using the row operations. 


i) 
ee 
be 
i) 


A 


e 
| 
—_ 
N 
No) 


T1172 


i) 
—_ 
ee 
i) 


cal A Ger ce al 


iw) 
—_ 
ee 
i) 
w 


hs 

So 
IN 
ar 


—2r, +7T2 > ro 


; 0| 41 
— m1 +T2 > 71 


Since we have a leading 1 for the entries, this means that the coefficients for vy and v2 


are 


la oars 


46 
O+a,= 3° 
Thus we have 
41 
a | 
46 
ag ~~ 37 


This means we can express the vector w as a linear combination of vj and v2 as shown 


below 


Definition 2.1.11. The collection of such linear combinations, 
{ayvi +--+ + agVvp 2 a1,...,a% € R} = Span ({vi, v2,---,Vn}) ; 
is called the span of {vi,...,v,}. Vectors span if their span is R”. 


Definition 2.1.12. A set of vectors v1, V2,...,Vvz € R” is linearly independent if the 


only way to get 


a1v1 + agv2 +--+ + anv, = 0 


is when aj =a) =--:-=az, = 0. 


The set is linearly dependent if it is not linearly independent, or in other words, there 


exists some a; € R, not all of which are 0, such that 
avy + agvg +--+: + anv, = 0. 


Linearly independent vectors satisfy the property that no vectors in the set is a linear 


combination of the other vectors in that set. 


Definition 2.1.13. A basis for R” is a set of linearly independent vectors v; ... vz that 


span R”. 
Theorem 2.1.14. Jf {vi,..., vx} is a basis for R", then k =n. 


The proof for this theorem can be found in Section 2.B of Sheldon Axler’s, 
Linear Algebra Done Right [Ax115]. 


10 


Theorem 2.1.15. If {vi,...,Vvn} is a basis, then a vector w € R” can be expressed in 


the form 
W = Qa{Vi + A2V2+...+GnVn 
for a unique choice of ay,...,4n € R. 


The proof of this theorem can be found in Section 2.B in Sheldon Axler’s Linear 
Algebra Done Right [Ax115]. Bases are deeply related to bases. In the next section we will 


talk about lattices, provide some examples and discuss how a basis and a lattice differ. 


Definition 2.1.16. If B C R” is a basis and B = {vj,...,vn} then the matrix associ- 
ated to B is denoted as 


Mzg= [vi| tabs lv E Matnxn(R). 


Definition 2.1.17. The general linear group under matrix multiplication of degree n 


over Z is the set of n x n invertible matrices with integer entries whose inverse also has 


integer entries. This is equivalent to requiring that the determinant equal +1. This is 


denoted as GL,(Z) or GL(n, Z). 


11 


2.2 Lattices 


In this section we discuss lattices. Lattices have many interesting applications 
in cryptography. A lattice can be used to encrypt and decrypt information. We will 


address that in Section 3.1. We begin with how to generate a lattice from a basis. 


Definition 2.2.1. Given a basis, B C R”, the lattice, L(B), is the set of all linear 
combinations of 6 with integer scalars. In other words, L(B) is the Z-span of B. We say 


B generates L. 


Definition 2.2.2. Let L C R” be a lattice. A sub-lattice is a subset L’ C L that is a 


lattice. 


Here we have an example to help us visualize a lattice. 


1 
Example 2.2.3. We first start off with a basis, B C R? with vectors u = and 
2 


v= . This is referenced in Figure 2.3. Then we take all linear combinations of the 


two vectors with integer scalars such that we generate a lattice. 


5? e 
) 4 e e 
03 e 


Figure 2.3: A lattice in R? 


One interesting thing about this lattice in Example 2.2.3 is that we can generate 


the same lattice with a different set of basis vectors. Generators of a lattice are not unique. 


12 


The following important theorem relates sub-lattices to bases and several corollaries follow 


from this essential theorem. 


Theorem 2.2.4. If B C R” is a basis and if C C L(B) is a basis where L(B) is a lattice, 
then there exists ann x n, integer matrix, X, such that Q = PX, where Q = Me and 
P= Mg. Conversely, if X is an invertible n x n, integer matrix then the columns of PX 


are a basis generating a sub-lattice of L(B). 


Remark 2.2.5. The invertible matrtix X is invertible in GL,,(R) where the inverse does 
exist but does not necessarily have integer entries. 

Proof. Let B = {b,,b2,...,b,} be a basis and suppose C = {cj,€2,...,¢n} is a basis 
where C Cc L(B) where L(B) is a lattice. We want to show there exists some n x n, integer 
matrix, X such that Mc = MgX. Since B is a basis for the lattice L(B) and C is another 


basis contained in that same lattice, then we can express C as a linear combination of B, 


Cc; = aybi + abe + --- + ainbn 
co = agiby + aggbg + +++ +. aonbn 
Ch = Ani b; +r aAn2 bo sy Bae Ae AnnDn : 


Since L(B) is a lattice then the coefficients {a1, a2,...,@,} € Z by Definition 2.2.1. Then 


the matrix 
a11 412 Qin 
a21 422 aan 
X= 
Qnl GQn2 °*** Ann 


is the integer matrix. Thus we have a n x n, integer matrix, X, such that Q = PX where 
Q = Me and P = Mz. This concludes the first part of the proof of Theorem 2.2.4. 

For second part of the proof, if X is an x n invertible, integer matrix then we 
want to show that the columns of PX are a basis generating a sub-lattice. Suppose that 


we have a basis B C L(B) whose associated matrix 


bit big +: On 


_ bo, bag +++ ban 


Mg= 


bri bn2 er ban 


13 
Next we compute PX where P = Mz and X is the matrix given above. Then performing 


[* a2 °° ‘al 
a21 Gog ++: Gan 


PX = MpX = |by | «|| | ba] | 


ae Qn2 ""° eal 


Notice that the columns of this matrix are linear combinations of a basis with integer 


matrix multiplication will give us 


scalars. So by Definition 2.2.1 this new basis, C, generates a sub-lattice since C C L(B). 


Corollary 2.2.6. If B C R” is a basis: 


1. If C Cc L(B) such that L(C) = L(B), then there exists a X € GL,y(Z) such that 
Me = MpX. 


2. IfX € GL, (Z), then the columns of Q = MpX is a basis, C, such that L(C) = L(B). 


Remark 2.2.7. The change of basis matrix in Theorem 2.2.4 is the basis vectors from 


the basis, B, which transitions to the new basis, C, when multiplied by the matrix X. 
Now we will prove both parts of Corollary 2.2.6. 


Proof. 1. We already have Mc = MgX since B C L(B) = L(C) by Theorem 2.2.4. 
Meanwhile, 6 Cc L(C), then by Theorem 2.2.4, there exists n x n, integer matrix, 
Y €GL,(Z), such that Mg = McY. So we substitute, meanwhile, 


Me = McY 
= (MpX)Y 
= Mg(XY). 


Since B is a basis, Mg is invertible. So we multiply by the inverse of Mg. 
Mg’ Mg = Mg! Mp(XY) 
i ee 


It follows, X is invertible and its inverse, Y, has integer entries. Since 1 = 


(det(X))(det(X)~") € Z, X has determinant 1 or —1. Therefore X € GL,,(Z). 


14 


2. L(C) Cc L(B): Since X € GL,(Z) and B C L(B) is a basis, then by Theorem 2.2.4 
we have the columns of Q = MpX generate a sub-lattice, L(C) C L(B). 


L(B) c L(C): Recall from Definition 2.1.17 that GL,,(Z) denotes the set of all n x n, 
invertible, integer matrices with X~! € GL,(Z). Then the columns of Mg = QX~! 
are contained in L(C). Thus 6 is contained in L(C) which implies L(B) Cc L(C). 
Therefore L(C) = L(B). 


Theorem 2.2.4 and Corollary 2.2.6 tell us that any two bases for a lattice D are related 


by a matrix with integer entries and having a determinant equal to +1. 


Example 2.2.8. Two additional bases generating the same lattice as in Figure 2.3 


6 5 
using Theorem 2.2.4 and its corollaries. Let basis B = ; and basis C = 
rs 
is 8 : 
, . Then by Theorem 2.2.4 there exists an X € GL,,(Z) such that we can 
9 11 


express Mc = Mg X. So we write 


Me = MpX 
7 8 _ 6 5] |aqy1 aye 
9 Il 7 5 a2, 422 


Since we are given both bases, we need to find the integer entries for the n x n integer 
matrix, X. To do this we need to multiply by the inverse of Mg denoted as My 1 We 
find the inverse by first finding the determinant of Mg which in this case det(Mg) = —5. 
Once we have the determinant we then swap the entries along the diagonal of Mg and 


change the original sign of the other entries of the other diagonal. 
6 5 —5 : 
Mg = > Swap 6 and 5 then change the sign of 7 and 5. 
7 


Next we multiply by the reciprocal of the determinant such that 


1 5 —5d 


M,z'=— 
caine ae 


15 


5 x95 
_|-5 =5 
7 6 
5 5 
-1 1 
{7 _6 
5 5 
Finally we can find X. 
Mg! Mc = Mg' MpX Mulitply by Mg’ on the left of both sides. 
Mg'Mc =1X Since MgM,' = I. 
Mg'Mc=X Since 1X = X. 
—-1 1 7 8 ; . : : 
= X Substitute with respected matrices and multiply. 
£ -§8/ 9 11 
2 8 
= X. 
-1 -2 


Notice that the matrix X is a 2 x 2 integer matrix with determinant equal to —1. Of 


course it is of no surprise given what Theorem 2.2.4 states. This will always be the case. 


Remark 2.2.9. When performing matrix multiplication, in most cases, the commutative 
property does not hold. So order matters when multiplying matrices. However, some 
matrices do, given that the two matrices we are multiplying together are inverses of each 
other. In other words if a matrix A is multiplied by its inverse A~! then AA7~! = J = 
APTA. 


Below we depict the lattice L being generated by each of the given bases. 


Figure 2.4: Basis B : 


; 7 8 
Figure 2.5: Basis C : ; : 
9 11 


16 


17 


2.3. Length and Inner product 


In this section we are going to talk about the length of a vector which is also 
called the norm of the vector. These are necessary to talk about lattice reduction algo- 
rithms. We need to know how to compute and reason about the length of a vector. To 


start off here is the definition for computing the length of a vector. 


Definition 2.3.1. The length (or norm) of a vector v € R” is 


Ivll = ok + ob + 402. 


The length of a vector throughout this thesis will be written as ||v||.. So now that we 


have the definition for computing length of a vector let us look at an example. 


Hl 


1 
| . Then the length of v is 
6 


y 


lIv|| = 0} +03 +03 +03 
= /@P +P +O? + 0? 
= V164+1+364+1 
Lye 
= 3V6. 


Example 2.3.2. Given vector v € R* with v = | 


Computing the length of a vector is not so bad if we remain within small dimensions. 
The length of a vector can become quite cumbersome when we look at vectors in higher 
dimensions. Notice the formula for computing vector length looks very similar to a 


theorem in geometry called the Pythagorean Theorem. 
Proposition 2.3.3. For all k © R, ||kv|| = |k|- ||v]]. 


If the length of a vector is equal to 1. Then that vector is a unit vector. Finding the 
length of a vector sum u-+ v is not so straight forward. For finding the length of the sum 
of vectors we are looking at the diagonal vector from the parallelogram formed by the two 


vectors. Recall Definition 2.1.2 which stated that the sum of two vectors is computed by 


18 


adding the entries of one vector to the entries of the other vector respectfully. The sum 
is the diagonal vector formed by the two vectors via “tip-to-tail” vector addition. Please 


refer to Figure 2.6 below. 


Figure 2.6: Sum of two vectors via “tip-to-tail.” 


We consider the diagonal of the parallelogram from Figure 2.6 ||u + v||?. If we rewrite 


||u + v||? in expanded form then 
Jat vl? = So (ug + v1)? 
= So (ui + vj) (us + v4) 
“Lee Dat De 


Taking this a step further, let us isolate }> u;v; on the right side of the equation by moving 


all the other terms to the left side of the equation. The result, is inner product. 


Definition 2.3.4. The inner product (or dot product) of u,v € R” is 


1 
(u,v) = 5 (llu + vi? = [lull? = lIvi?) = Sou. e. 


Proposition 2.3.5. The standard inner product satisfies: 


1. Positive definite. For all v € R”, (v,v) > 0, and equals 0 precisely when v = 0. 
2. Symmetric. For all v, w € R", (v,w) = (w,v). 


8. Bilinear. The inner product is linear in both inputs. 


19 
(a) Additive. for all vi, v2 , w € R”, (vi + vo, w) = (v1, w) + (vo, w). 
(b) Scaling. For all v,w € R", k ER, (kv, w) = k(v, w). 


We can use the dot product to measure the angle between two vectors. Re- 
member the Law of Cosines states: Given a AABC with side lengths a,b,c and angle 
9 = ZACB, then 


ce’ = a? + b* — 2abcos(6). 


Let us relate the Law of Cosines to vectors u,v and u— v. Let us rewrite the Law of 


Figure 2.7: Vectors u,v,u-— v. 


Cosines using the vectors from Figure 2.7, 
Ju — vil? = |Jul|? + |Ivi|? — 2||ul] - [Iv|| cos(4). (2.4) 
Next, if we express ||u — v||? using the properties of Proposition 2.3.5 then we get 
ju — v||? = (u—v,u-—v) 
= ||ul|? + |Iv|? — 2(u, v). (2.5) 
Then we can set (2.4) equal to (2.5) 


[Jal]? + Ilvll? — 2iful] - [Iv|] cos() = |fall? + [lvl]? — 2(u, v) 


Cancel some terms and 


|lul| - |[v|] cos(@) = (u, v). 


20 


Definition 2.3.6. The angle equation for the inner product is 


(u,v) = |[ul| - ||v|| cos(@). 


2.4 Lattice Problems 


Before we dive into lattice reduction algorithms, we need to understand two 
paramount lattice problems: the shortest vector problem (SVP) and the closest vector 


problem (CVP). 


Definition 2.4.1. The Shortest Vector Problem (SVP): Find a shortest nonzero 
vector in a lattice LZ. In other words, we want to find a nonzero vector v € L that 


minimizes the Euclidean norm ||v|]. 


Definition 2.4.2. The Closest Vector Problem (CVP): Given a vector w € R” that 
is not in the lattice L, find a vector v € L that is closest to w. Specifically, find a vector 


v € L that minimizes the Euclidean norm ||w — v]|. 


Minkowski’s Theorem (see Theorem 2.4.11) says that a sufficiently large bounded 
symmetric convex set must contain at least one nonzero lattice vector. This theorem gives 
us an upper bound for when searching for a shortest vector. Before we state this theorem 


we need to state some definitions to help us understand. 


Definition 2.4.3. Let LD be a lattice of dimension n and let vj, v2,...,Vy be a basis for 
L. The fundamental domain or fundamental parallelepiped for L corresponding 


to the basis is the region: 


F(v1,V2,---;Wn) = {tivi + teva +--+ +tnvn: 0<t; <1, for alli=1,...,n}. 


1 3 
Example 2.4.4. We start with our basis vectors u = and v = . Next we express 
F (u,v) as 


F (u,v) — {tju + tov : ti, te € (0, 1)} 


3 
=<t1 + te : ty, t2 € (0,1) 
1 


21 


The parallelogram formed by the sum of the basis vectors is bounded by the vectors since 


t; £1. Figure 2.8 helps illustrate the fundamental domain F(u, v) in R? shaded in blue. 


-1@figm 2 3 4 5 6 7 
—1 e e 


Figure 2.8: A lattice ZL with fundamental domain F(u, v). 


Note that the fundamental domain in R? is a parallelogram. The volume of the funda- 


mental domain ¥ can also be written as Vol(F). 


Proposition 2.4.5. Let L C R” be a lattice and let F be a fundamental domain for L. 


Then every vector w € R” can be written in the form 
w=t+v for a unique t € F and a unique v € L. 


Proof. Let E C R” be a lattice and let vj, v2,...,Vn be a basis of L that gives us the 
Fundamental domain *. We want to show that for any vector w € R”, w can be written 


as 
w=tiv for a unique t € F and a unique v € L. 


Suppose we have a vector w € R” then the vector w can be expressed as a linear 


combination of the basis vectors, v1, V2,---, Vn; 
a1V1 + dove +--+ + 4nVn for some @1,@2,...,4n ER. 
We now express each a; as 


a=—t+cG for t; € [0,1) and c; € Z. 


22 


Then 
w= (ty t C1)V1 (te C2)V2 T (tn T Cn)Vn 
= tivi + c1v1 + tove + cove 4 + trVn + CaVn 
= tyvy + teva +++ +tnVn + C1V1 + C2V2 ++°+ + CnVn, 
where tyv1 +tove +--+: +tnVn € F and cyvy + cove t:+-+enVyn € L. Next let us suppose 


that w=t+v and w=t’+v’. Then we have 


(ti + c1)v1 + (to + c2)v2 +++ + (tn +en)Vn = (4 +.1)vi + (t +eg)v2 + +++ + (th +o) Vn: 
Since vj, V2,..., Vn are basis vectors this means they are independent. It follows 
that 
tit+q=tt+e¢d for i =1,2,...,n. 
Hence, 


t,t = -—G €Z. 
We know that t;, t/ € [0,1) so the only way for t; — t, € Z is if t; =t/. Thus t = t’ and 
v=w-t=w-t' =v’. 


Therefore any vector w € R” can be expressed in the form w = t + v for a unique t € F 


and a unique v € L. 


Definition 2.4.6. Let L be a lattice of dimension n and let F be a fundamental domain 
for L. Then the n-dimensional volume of F is called the determinant of L. It is denoted 


by det(L). 
Proposition 2.4.7. If B is a basis, then det(L(B)) = | det(Mg)|. 


The proof of Proposition 2.4.7 can be found in the Appendix: A.10.8, in the book, 
Mathematics of Public Key Cryptography [Gal12]. 


Proposition 2.4.8. Let L C R” be a lattice of dimension n. Then every fundamental 


domain F for L has the same volume. 


23 


Proof. Let B = {uj,ug,...,U,} and C = {vi,v2,...,Vn} be bases in a lattice D C 
R”. Now let us analyze ¥(B) and F(C) two fundamental domains for the lattice L by 
Definition 2.4.3. By Corollary 2.2.6, there exists a X € GL,(Z) such that Mg = McX. 
Now consider Vol(F(B)). 


Vol(F(B)) = det (L(B)) by Definition 2.4.6 
= | det(Mz)| by Proposition 2.4.7 
= | det(McX)| by Corollary 2.2.6 
= | det(Mc)| - | det(X)| Since det(AB) = det(A) - det(B) 
= | det(Mc)| Since det(X) = +1 
= det (L(C)) by Definition 2.4.6 
= Vol(F(C)) by Definition 2.4.6 


Definition 2.4.9. If ac R” and R > 0, then the (closed) ball of radius R centered at a 


is the set 


Ba(a) = {x € R®: ||x — al] < RB}. 


Definition 2.4.10. Let S be a subset of R”. 


(a) S is bounded if there is a radius R such that S is contained within the ball Br(0). 


(b) S is symmetric if for every point a € S, the negation —a is also in S. 


(c) S is convex if whenever two points a and b are in S, then the entire line segment 


connecting a to b := {ta+ (t —1)b|t € [0,1]}, lies completely in S. 


(d) S is closed if it has the following property: If a € R” is a point such that every 


ball Br(a) contains a point of S, then a is in S. 


Theorem 2.4.11. (Minkowski’s Theorem). Let L C R” be a lattice of dimension n and 


let S' be a bounded symmetric convex set whose volume satisfies 
Vol(S) > 2”det(L). 


Then S contains a nonzero lattice vector. 


24 


Proof. Let ¥ be a fundamental domain for L. We can express every vector a € S uniquely 


by Proposition 2.4.5, so 
a=viw where v € Landwe fF. 


We can scale S by a factor of $ and in symbols, 
1 1 
5° = {saracsh. 


1 1 
Gi 55—>F, za Wie 


Consider the map 


Scaling S by a factor of 2 scales its volume by a factor of 2” since we are taking half of 


each dimension of n. It follows that 
i 1 Wt con 
Vol (55) = gn VOl(S) > an? det(L) = det(L) = Vol(F). 


The map o($5) is given by a finite collection of translation maps since S is bounded 
and the union of the translations of F +v = {w+v: w € F} as v ranges over the 
basis vectors in L. This means that d(5S ) is volume preserving since every fundamental 


domain is independent of the volume of L by Proposition 2.4.8. Then the domain of 55 


Figure 2.9: Minkowski’s Theorem applied in R? 


has volume strictly larger than the volume of range F. This implies that there must exist 


25 
distinct points say and say with the same image w in F. Thus 
1 1 
py and a ee 


with vy, v2 € L and w € F. Thus subtracting the vectors gives us 


1 

gal 582 = Vive b 
Since S' is symmetric we know (—$az) € S. Since S is convex, say — 52, is the midpoint 
of the line segment from a, to ag, ay — Fay € §S. Therefore we have constructed a 


nonzero lattice point in S 


OAvi-wE SOL. 


Minkowski’s Theorem is what we are going to need to prove Hermite’s Theorem. 
The length of a shortest vector is given an upper bound by Hermite’s theorem. This upper 
bound will help us in finding a region of where a shortest vector by applying Minkowski’s 


Theorem. 


Theorem 2.4.12. (Hermite’s Theorem). If L is a lattice of dimension n, then it contains 


a nonzero vector v € L satisfying 
liv] < Vin det(L)™. 


Proof. Let S be the hyper-cube in R”, centered at 0, whose side lengths are 2B : 


S= Cease yi) ER”":-B<2;,<B foralll Sesn}. 
The set S is closed, symmetric and bounded and its volume is 
Vol(S) = (2B)”. 
So if we set B= det(L)n, then 


Vol(S) = (2B)” 
= 2” B” property of exponents 


= 2” (det(L)n)") by substitution 


26 
= 2"(det(L)n) 
= 2 det): 


Now applying Minkowski’s Theorem we deduce that there is a nonzero vectora Ee SOL. 


We can then express a as coordinates (a1,...,@,) by definition of S such that 


Ilal| = \/a? +--+ +02 < VnB = Vin- det(L)r. 


Hermite’s Theorem helps us to have some sort of idea of the region in which a 
shortest vector exists. In higher dimensions greater than 3, we may not geometrically 


visualize such a vector, but we can algebraically determine its length. Note, SVP can 


0 
have more than one solution. For example, consider 6 = , C R?, all four 
0 1 
+1 0 io 4 “ 
vectors and are solutions to SVP. Similarly, CVP can also have more than 


one solution. Both CVP and SVP become computationally expensive to solve in higher 
dimensions, since they require a substantial amount of steps to solve. 
When the vectors are pairwise orthogonal we get the largest volume for F. We 


can determine the upper bound of Vol(F). 


Proposition 2.4.13. (Hadamard’s Inequality). Let L be a lattice with basis, B = 


{vi,.--,; Vn}, and let F be a fundamental domain for L. Then 
det(L) = Vol(F) < ||vall--- |[vall- 


Since we can determine an upper bound for the length of a shortest vector we 


can also find a lower bound for the length of the largest vector in any basis. 
a! 
Proposition 2.4.14. ||v;|| > (det(L))”. 


Trying to solve via brute force is difficult because we have no way to plot a lattice 
in R” where n > 3. The amount of computations become quite overwhelming since what 
may have worked in the lower dimensions may not always be the case in higher dimensions. 
For example, say we have a lattice L given by a basis B € R!°° and we wanted to find a 


shortest vector. Well the first thing we would do is create a list containing lattice points 


27 


from the given lattice. To do this we just take linear combinations of the basis vectors 
and set the range of our coefficients to go from say [—4,5] € Z. Then we create a nested 
for loop checking the lengths of each pair of vectors to determine the shortest vector in 
that list. This would require checking 10!9°° lengths! It would take a very long time. 
Granted a shortest vector in the lattice may not even be contained in the list that we 
created since our range is restricted by the closed interval [—4,5]. So we might have to 
increase parameters to include more lattice points and then run the nested for loop again. 
We can see that doing it by brute force is going to take a while but we would eventually 
find a shortest vector in the lattice given we have set the right parameters. This is why 
we have lattice reduction algorithms that help speed up the process and provide us with 


a shortest vector in the lattice. 


28 


2.5 Lattice Reduction Algorithms 


A lattice reduction algorithm is an algorithm that inputs a basis and returns 
a “simpler” basis generating the same lattice. Lattice based cryptosystems rely heavily 
on the difficulty on solving the shortest vector problem (SVP) and the closest vector 
problem (CVP). Reduction algorithms are very important for not only breaking lattice 
based cryptosystems but also in helping create cryptosystems that are not vulnerable 
to certain attacks involving SVP and CVP. These are similar problems and solving for 
one can surely help in solving the other. In this section we will be discussing two very 
important lattice reduction algorithms: Gaussian Lattice Reduction Algorithm in two- 
dimensions (GLRA) and the more widely used LLL Algorithm. GLRA is a good starting 


point for it will pave the way into understanding how lattice reduction algorithms work. 


2.5.1 Gaussian Lattice Reduction Algorithm 


The idea behind GLRA is given any “bad” basis, we can iteratively reduce the 
size of the vectors in that basis such that the end result is a reduced “good” basis that 
produces the same lattice. We use the word “bad” to mean the angle between the two 
vectors is acute and that the parallelogram or( i.e. fundamental domain) is sheared. We 
use the word “good” to mean that the reduced basis is close to orthogonal. 

The algorithm does this by subtracting scalar multiples of one vector from the 
other and replacing the larger vector with the new vector. Consider a lattice, L C R? 
with basis vectors v; and v2. Before applying the algorithm we can swap v, and v2 such 
that ||vi|| < ||v2||. Taking the larger vector, v2, and projecting it onto the smaller vector, 
V1 


(vi, V2)| 


Projy, V2 = 
y IIvall? 


Vi1- 


Since we want to stay within the same lattice, the projection scalar must be rounded to 


the nearest integer. So the equation looks like this 
vi =Vvo- ad V1. 


We then swap vj and v3 if needed and repeat the process until we can no longer reduce 
the size of the vector lengths. The process is similar to the Euclidean Algorithm but 


instead of finding the greatest common divisor, we are looking for a shortest vector. 


29 


Proposition 2.5.1. (Gaussian Lattice Reduction). Let L C R? be a two-dimensional 


lattice with the basis vectors v1 and vo. 


1. The following algorithm terminates and yields a good basis for L. 


Algorithm 1: Gaussian Lattice Reduction Algorithm in 2 dimensions 


1 if ||vi|| > ||ve|| then 


2 | Swap vj, and vo; 
3 end 
4 Compute m = | Meare), 


5 while m 4 0 do 


6 | v2=Vv2—mv1; 

fe if ||vi|| > ||v2|| then 

5 | Swap v1 and vo; 

9 end 

10 Compute m = | Mera | 
11 end 


2. The final vector v1 is a shortest nonzero vector in L, so the algorithm solves SVP. 


3. The angle 0 between v1 and v2 satisfies | cos(6)| < ol. so in particular, 
Qn 


<0< 


This Proposition 2.5.1 is essential for understanding lattice reduction algorithms. 
Before we prove Proposition 2.5.1 we need to state some additional information that will 


help us in proving that the algorithm will terminate. 


Proposition 2.5.2. Let v1, vo be the initial vectors of an iteration of the algorithm and 
let vi = vo — mv, and v5, = vy be the next set of vectors considered in the algorithm. 


2 
Then ||vii||? < war except for possibly the last two iterations. 


The proof of Proposition 2.5.2 can be found in Section 17.1 in Steven Galbraith’s 
Mathematics of Public Key Cryptography [Gal12]. 


30 


Proposition 2.5.3. If v, and v2 are some iteration of vectors in the algorithm with 


I|vil] < ||va|| and m = Beard then ||v2 — mvj|| < ||v2 —kvi|| for all k € Z. 


Ilva? 


Figure 2.10: Proposition 2.5.3 


Proof. Let | denote the span of v,. Since k € Z this implies that k-v, will give us any 


lattice point on line |. Since m = ee | then m will give us the closest lattice point to 


the point D where D is the intersection of the orthogonal projection of v2 onto the line 
1. Let B be the lattice point in the direction of v2. We know the length of line segment 


BD is the shortest distance from v2 to the line / because BD is perpendicular to I. So 


for all t € R we have ||v2 — wiry || < ||v2 —t+vi||. Note that point D on line / is 


not necessarily a lattice point since a lattice point is given by a linear combination of the 
vectors v1 and v2 with integer scalars. So rounding vill gives a lattice point. Thus 
m gives us the nearest lattice point to v2 such that ||v2—m-vj|| is the smallest compared 
to any other lattice point ||v2 —k-v1|| on line /. Therefore ||v2 —m- vi|| < ||v2 —k- vi]| 


for all k € Z. 


Corollary 2.5.4. Given the hypothesis of Proposition 2.5.8, if v, = v2 — mv, and 
v5 = v1, then ||v4|| < ||k’v5 + v4|| for all k € Z. 


Proof. Given the hypothesis of Proposition 2.5.3, if v4 = v2— mv, and v5 = vi, we want 
to show ||v{|| < ||A’v4 + v4|| for all k € Z. We have ||v2 — mvi|| < ||v2 — &vi|| for all 


k € Z by Proposition 2.5.3. We can then rewrite ||v2 — mvj|| = ||v{||. Moreover, we have 


IIvill < Ilv2 — val]. 


We then do some algebraic manipulation on the right 


IIvill < |lv2 — (k — m)vi — mvi]| 
< (k —m)v1 + v2 — mvj|| 
< ||k’vi + vo — mvi|| 
< ||k’v5 + v4 || 


Proposition 2.5.5. Ifm = 


Proof. Let v1, V2 be basis vectors in a lattice L. Supp 


31 


side of the inequality. 


Pull out a mv, from kv. 
Swap v2 and —(k — m)v}. 


Since —(k — m) =k’ € Z. 


Substitute v; and vg — mvj. 


t1, then the algorithm terminates in the neat iteration. 


ose v4, = v2 —mvj, and v5 = vj are 


the vectors considered in the next step of the algorithm. Let m = wz3| = ale +€ 


where |e| < 5. Since m = +1 then, at most, vj, = v2 4 
to show that m/ = 0. We consider two cases. 


Case 1: Suppose ||v4|| > ||v4|| (Do not swap). 


tv}. In the next iteration we want 


If ||v4| > |}v4|| then m! = Break Since 
(V1,V2) = (v2 + V9, v9) 
= (v2, v9) + (v9, V9) 
(v2,V1) = (v1, V1) 
= (v2, v1) £||vill? 
It follows 
oe (vi,V5) 
Ilvall? 
_ | (va, vi) = Ilval? 
[vil|? 
_ | (va,va) | [vall? 
Ivill? ~~ |Ival/? 


If m = 1 in the previous iteration then 


- [ie ie 


32 


= |-4 


= 0. 
If m = —1 in the previous iteration then 
V2,V v4|? 
wi a | 2 | a 
val? [Ivall 
=|-l-e+1] Since Maeva € 
I!va| 


Thus this final iteration of the algorithm will have m’ = |—e] which will round to 0. 
Therefore terminates the algorithm. 


Case 2: Suppose ||v4|| < ||v|| (Do swap). 


If ||v4|| < |}v§]| then |[v2 — mvi|| < ||vil|. If m = +1 then ||v}|] = || + v2 + vil| < ||vil]. 


We also know || + v2 + vi|| < ||va|| since we have that ||v1|| < ||vol|. If ||v4| < ||wel] 


then ||kv, — v2|| > ||vi]| for all k € Z by Proposition 2.5.3. Consider k = +1, then the 


following inequality would be 


IIval] < |] + v2 + val] < |[vill. 


This is a contradiction. Thus the second case does not happen. Therefore the algorithm 


will terminate. 


Proof of Proposition 2.5.1. 1. Let v1, v2 be basis vectors for a lattice L C R?. If 
we apply the GLRA Algorithm with the initial vectors v1, v2 then the next set 
of vectors to be considered in the algorithm are v, = v2 — mv, and v4 = vy. 
Since vi and v4 are the next set of vectors to be considered in the algorithm 
then ||v{||? < Ilva’ by Proposition 2.5.2. After each iteration the lengths of the 
vectors are being reduced by a third which means that at most 3!°83 iterations are 
being computed. Since the largest vector v2 is bounded below by (det(L)) 2 by 
Proposition 2.4.14, then the algorithm will stop when 


I|val| 
3k 


< (det(L))? 


33 


IIvall 


2 Be 
(det(L)) ? 
log, { —lv2ll mee 
(det (L)) ? 


Which tells us that the time complexity is O | logs —llvall__ . Hence, in a 
(det(L)) ? 


finite number of steps, |m| < 1. If m = 0 then we are done and the algorithm 


will terminate and return reduced basis vectors v; and vo. If m = +1 then by 
Proposition 2.5.5 the algorithm will also terminate in the next iteration and return 


reduced basis vectors v, and vo. 


. We prove that v1 is the shortest nonzero lattice vector. So suppose the algorithm 
terminates and returns the vectors v; and v2. This means that ||v2|| > ||vi|| and 


that |m| = 


(v1,V2) 


vil? < 5: Now suppose v € L is any nonzero vector in L. Then v 


can be written as v = a,v1 + agv2 where aj, a2 € Z. Then we can express: 


IIvI|? = |larv1 + aavell? 
= (a1V1 + a2V2, 41V1 + G2V2) 
= a? (v4, V1) + a1a2(V1, V2) + a142(V1, V2) + a3 (vo, v2) bilinear expansion 
= a3 |\vq||? + 2a,a2(v1, v2) + a3||vol|? rewrite 


> aj||vil|? — 2|aza9|| (v1, v2)| + @5||val|? 


> a2|fvy||2 — |azaa] - ||val|2 + @2]|vol[2 fromm <5 
> aj||val|? — Jarag| - |[val|? + a5||va |? since ||v2|| > ||vi]| 
= (aj — |aya9| + 45) ||vil |? 

= (aj — |ay| - |a2| + a5)|Ivi||? 


Next we want to show that the scalars, a? — |a1| - |a2| + a3 > 0, since we know that 
||v|| > 0 by Proposition 2.3.5. By setting |a1| = t; and |az| = te where ty, te € R, 


we now analyze the quantity: 


i tite ea. 


34 


If we complete the square on the expression above with respect to t,;, we get 


1 
t? — tyte 4 ne a ee 
peu ie 32 
ca acy ee 4 


So, 


ie er 
f-ntn+=(t- 51) + 7b. 


We complete the square of t? — tit2 + ¢3 for ta, 


1 
Dy. yD 
ty T ris 


tf — tite +B 


So, 


Thus, 


2 2_ 319 1 : i, won 
tt — tte + ty = rae a 3! — to =[(t—- 9/2 + qe 
Sums of squares are non-negative. Only way to get zero is if tj = tg = 0. Since not 


both a,, az are zero this is positive. Also because a, and ag are integers then aj, 


a2 > 1. Then ||v||? > ||vi||?. Thus v, is the smallest nonzero vector in L. 


. Suppose the algorithm terminated and the vectors v, and v2 are the output. We 


want to show that | cos(@)| < IIvill Since the algorithm terminated this means that 


= 2i}vall’ 
t= ee < }. We can then rewrite (v1, v2) = ||vil| - ||v2||cos(@) by Definition 
2.3.6. Then, 
ods wie 
Iva 
_ |lvil]- IIv2l| cos() 


[lvl 


35 


|| v2|| cos(@) 


IIvall 


Next, we have the following inequality 


1 22 || v2|| cos(@) i 1 


since | cos(8)| < 1. 


27 |[vall 7 2 
a < ||va|| cos(0) < wal multiply by ||vi|| on both sides. 
_llvall e cos(ay < Iv divide by || val| on both sides. 
2||val| 2||val| 
I|val| 
cos(@)| < 
jeos(0)| < 


Now that we have a better understanding of how GLRA in two-dimensions 
works. We are able to solve for SVP and CVP with this algorithm in two-dimensions. 
The GLRA is useful for understanding how some of these lattice reduction algorithms 
work in higher dimensions. Since GLRA only works in two dimensions we can follow the 
steps of the algorithm. Let us go ahead and look at an example using GLRA for a given 


basis in two-dimensions. 


Example 2.5.6. Suppose we have a lattice L in R? with basis vectors vj = and 
8 


5 
v2 = . We will apply GLRA and the table below will show us the vectors and m 
14 


used at each iteration of the algorithm starting with our initial vectors and initial m. 


GLRA 
Steps V1 vo m 
1 (3,8) (5,14) 2 
2 a (3,8) -4 
3 (-1,0) (-1,-2) 1 
4 (-1,0) (0,-2) 0 
The algorithm returns our reduced “good” basis and the vector v, = is a solution 


for SVP in the given lattice L. The figures below illustrate what the “bad” and “good” 


bases look like for this example. 


36 


@ ® 
—2 -1 12 3 45 6 7 
3 5 
Figure 2.11: ” Bad” Basis: ; 
8 14 


One thing to notice about the algorithm is that to compute m we round a half 
down towards zero. This is a crucial piece of information that should not be overlooked. 
If we took m to be rounded the conventional way such that m will be rounded to the 
nearest integer then the algorithm will fail since it will not work for every pair of vectors. 


Let us look at an example of what happens if we round the conventional way. 


9 10 
Example 2.5.7. Let L be a lattice in R? with basis vectors v1 = and v2 = : 
14 15 


We apply GLRA and we will see that the algorithm does not terminate but will oscillate 


between +1. 


37 


GLRA 
Steps V1 Vo m 
1 (9,14) (10,15) 1 
2 (1,1) (9,14) 12 
3 (1,1) 632) ff 
4 a (-2, 3) 1 
5 (1,1) (-3,2) i 
6 alae (-2, 3) 1 


Now in Steps 3 and 4 of the algorithm those same coordinates are going to repeat over 
and over. The reason is because in this example we end up getting m = 5 The algorithm 


will be stuck in this infinite loop and never terminate if [3] =1. 


Now that we are able to find a good basis, we are able to break some lattice 
based cryptosystems in two-dimensions. We will see the importance of lattice reduction 
algorithms in Section 3.1. There are other algorithms that can help find “good” bases in 


higher dimensions like the LLL Algorithm. 


38 


2.5.2 LLL Algorithm 


The Gaussian Lattice Reduction Algorithm is helpful in understanding how lat- 
tice reduction works in two dimensions. The strategy behind the algorithm is used sim- 
ilarly in another more widely used algorithm called the Lenstra-Lenstra-Lovdsz (LLL) 
Algorithm. The LLL algorithm was invented by Arjen Lenstra, Hendrik Lenstra and 
Laszl6 Lovdsz. The LLL algorithm works similar to GLRA but has one additional con- 
dition. 

The Gram-Schmidt Algorithm used in the LLL Algorithm is a variation of the 
Gram-Schmidt process. In the Gram-Schmidt process we normalize the vectors [Axl15]. 


The Gram-Schmidt Algorithm does not normalize the vectors. 


Theorem 2.5.8. (Gram-Schmidt Algorithm). Let v1,v2,...,Vn be a basis in R". The 


following algorithm creates an orthogonal basis vj,V5,...,V;, € R”: 


Algorithm 2: Gram-Schmidt Algorithm 
1 Input a matrix M = {v1,vo,..., Vn}. 
2 Set vj =vi 


3 Loop 7 = 2,3,...,7; 
4 Compute pj; = Tel for l<j <1; 


Ilvz 


a a i-1 oe ok 
5 Set vj = vi — Dojo MijV}- 


6 End Loop 
7 return Vj,V5,---,V;, 
8 /* Note that none of the vectors vj,...,v;, are normalized. The thing we 


are doing that is similar to the Gram-Schmidt process is removing the 


projection components from v; in the direction of all Vj. * 
The two bases have the property that 
Span{vi,V2,---,Vn} = Span{vj, v5,.--,v,,} for alla = 1, 2,0%.05%: 


The proof of Theorem 2.5.8 for both parts is done by induction. It can be found 
in Section 7.3 in An Introduction to Mathematical Cryptography [HPS16]. 


39 


Definition 2.5.9. Let B = {v1,v2,...,Vn} be a basis for a lattice L and we use B* = 
{vi,v3,..., vi} be the associated Gram-Schmidt orthogonal basis. The basis B is said 


to be LLL reduced if it satisfies the following two conditions: 


. a Ives vil 0 1 eo 
(Size Condition) = |;,;| = Iaile < 5 foralll<j<i<n. (2.6) 
3 
(Lovasz Condition)  ||v7||? > ( — 1) I|vi_,|[? for alll <i<n. (227) 


Theorem 2.5.10. (LLL Algorithm). Let {vi,...,Vn} be a basis for a lattice L that is 
contained in Z”. The algorithm terminates in a finite number of steps and returns an LLL 
reduced basis for L. More precisely, let B = maa||vi||. Then the algorithm executes the 
main k loop no more than O (n? logn + n? log B) times. In particular, the LLL algorithm 


is a polynomial-time algorithm. 


The LLL algorithm is currently one of the most used lattice reduction algorithms. Unfor- 
tunately, LLL does not provide a solution for SVP but only guarantees an approximation 
for SVP. One open question is, “Are there better algorithms that can solve SVP in higher 
dimensions or at least have a better time-complexity than the LLL algorithm?” This 
question motivated my research in Chapter 4. To compare GLRA to the LLL Algortihm 


we are going to use the same vectors from Example 2.5.6. 

Example 2.5.11. Suppose we have a lattice L in R? with basis, B = {v,,v2} and 
3 5 

v= and v2 = . We will apply the LLL Algorithm to these vectors and return 
8 14 


the following LLL reduced basis. 


Mghae: Or 9 


The reduced basis here is exactly the same as the reduced basis in Example 2.5.6. The 


reduced basis given by applying GLRA is 


Algorithm 3: LLL Algorithm 


1 


2 


3 


4 


5 


Input a matrix M = {vj,vo2,...,Vn}. 
Set k = 1 

vi=v1 

Compute Gram-Schmidt for M 
while k < n do 

For j from k — 1 to 0; 

if not Size condition(k,j) then 


| Compute vz = ve — | fej ]1Vy; 


end 

if Lovasz Condition(k) then 
| k=k+1 

end 

else 


Swap (vz, Ve—1) 
Update Gram-Schmidt of M 
k = maz(k — 1,1) 


end 

end 

return VW 

/* Note: {vj}, v3,...,v;,} is the orthogonal basis computed by 
Gram-Schmidt Algorithm. |z,;| is the rounded Gram-Schmidt coefficient 


computed by ee ar 
J 


40 


41 


Example 2.5.12. Let B = {b,,b2,b3} be a basis in R* with basis vectors b; = |1 


1 
= 3 
be = | 0 |, bs = |5]} and let L(B) be a lattice. We are going to run the LLL Algorithm 
2 6 


for this basis and we get 


Cai 2 as 
Mp=|1 0 5|, Mf*=|1 0 Oo 
i 2 01 2 


The columns of ue are our LLL reduced vectors for the basis, B. 


In Figures 2.13 and 2.14 we can visualize the two bases. 


Figure 2.13: ”Bad” Basis: Figure 2.14: ”Good” Basis: 
1 —1 3 0) 1 —l 
1} 5) Ols|5 1), /0),) 0 
1 2 6 0 1 2 


Notice that the two algorithms GLRA and LLL work differently yet both output 


42 


—1 
“sood” bases. One thing to point out is that the vector | 0 | did not change in terms of 
2 
—1 
length but in postion. In the original basis matrix the vector bz = | 0 | and in the LLL 


—l 
reduced basis b3 = 0 | . The LLL Algorithm may not need to reduce the size of all the 
2 


vectors in the original basis if the Size Condition is satisfied for each pair of vectors. The 
vectors did swap positions because the orthogonal basis vector associated to that vector 
did not satisfy Lovasz’ Condition. 

To compare, GLRA simply works by just reducing the size of the vectors v1 and 
v2 until m = 0. While the LLL Algorithm, must satisfy two conditions: Size Condition 
and Lovasz’ Condition, for each pair of vectors {vj, v2, v3} and {vj, v5, v3} respectfully. 
The LLL Algorithm focuses on two sets of bases, the original basis 6 and the associated 
orthogonal basis from Theorem 2.5.8. While, GLRA does not really on the Gram-Schmidt 
Algorithm to reduce the size of the vectors. Both algorithms reduce the size of the vectors 
but differently. The GLRA in two-dimensions reduces the size of the vectors by removing 
the rounded projection coefficient of mv; from v2. The LLL Algorithm reduces the size 
of the vectors by removing the rounded Gram-Schmidt coefficient pijv; from v;. Be 
aware that rounding of m and j;; is done differently in GLRA and LLL respectfully. In 
GLRA we are rounding 5 down towards zero, while in LLL we are just rounding the 
Gram-Schmidt coefficient 5 up. 

Given by both examples of GLRA and LLL, it is easy to visualize that the 
reduced bases are close to orthogonal, but as we get into higher dimensions we cannot 
visually see that the reduced bases are close to orthogonal. Even visually in three- 
dimensions it can be difficult to see if the vectors of a reduced basis are quasi-orthogonal 
compared to the original basis. However, we can determine if a reduced basis actually is 


more orthogonal compared to the original basis by using Hadamard’s Ratio. 


Definition 2.5.13. The Hadamard ratio of a basis B = {bj,b2,...,b,} is given by 


43 


the quantity, 


where L(B) is a lattice. 


1 
det (L(B i 
w= (#008) 
||| - ||b2|| -- + |[n|| 
The closer the Hadamard ratio is to 1, the more orthogonal are the vectors in 
the basis. If we go back the Example 2.5.12 we can compare the Hadamard ratio of the 


original basis matrix Mg to that of the LLL reduced basis matrix, M Boe 


bo) fe 


Mg=|1 0 5), M*=l1 0 0}. 
1 2 6 01 2 


The Hadamard ratio for Mg is 


7 det (L(B)) 
H(Mg) = (I - ||be|| - rei) 


(avn) 
— v3. v5: V70 

x 0.4524. 
This tells us that the original basis B is not very close to orthogonal. Let us compare 


that to the Hadamard ratio of the reduced basis matrix, Meee . The Hadamard ratio for 


MEL is 


||bi|| - ||bel] - ||bs]| 
1 

a3 3 
7 (—s-) 


~ 0.9826. 


| ay ) 


Here we can see that Mgt is more orthogonal than Mg. 


44 


2.6 Rounding 


In this section, we explain how, rounding any vector w € R” to the closest lattice 
point v € L. If we had a lattice L C R” with basis B = {vj,vo,...vn} that are pairwise 


orthogonal, i.e. 
(vi, Vj) =0 for all i Fj, 


then we are able to solve SVP and CVP. To solve for SVP we need to look at the length 


of a vector v € L which is given 
IVI? = |larva + ave +++ + anvnl |? 
= (ayv1 + agve2 + +++ + GnVn, a1V1 + G2V2 + +++ + GnVn) 
= aj (vi, V1) + 41, d2(V1, V2) + +++ + 41, An (V1, Vn) + 43 (V2, V2) + +++ +2 (Wn, Vn) 
= a? (v1, v1) + a3 (vo, v2) +--- +42 (vn, Vn) 
= aj||vil|? + a3] |vall? +++» + af ]|vall?. 


We then take the square root of both sides, 


VIlvIl? = Vailivil? + a3||val|? +--+ + af] |vnll? 


[vl] = lea] - [val] + laa] - [}val] +--+ + lan}: |Ivall- 
Since the coefficients a1, a2,...,@n, € Z then we can notice that the shortest nonzero vector 
or vectors in L are simply the shortest vector or vectors in the set {+v,,+vo2,...,+vn}. 


Now let us say we want to find the closest lattice point to a vector w € R”. Then we 


express the vector w as 
w =tyv, + tovea +--+: +tnVn where ty, to,...,tn ER. 
We then have v = ajvj + dgvg +-:-+4n,Vn € L. Now we can write 
llv — wll? = (ar — th)? [lvill? + (a2 — ta) lIvoll? +--+ (Qn — tn)? llvnll2. (2.8) 


We want to minimize (2.8) by taking a; to be integer coefficients in which the integers 


are the closest to corresponding t;. 


45 


Figure 2.15: Visual of points w and v € L. 


The process only works if the given lattice has basis vectors that are (close to) 
pairwise orthogonal. If we have a basis with highly non-orthogonal vectors, then the 
algorithm will give us the wrong lattice point. The idea of Babai’s Algorithm is simply 
rounding the real coefficients t; to the nearest integers, which in turn gives us the closest 


lattice point to the vector w. 


Theorem 2.6.1. (Babai’s Algorithm) Let L C R” be a lattice with a basis, 
B= {Vijsss; Va} 


and let w € R” be an arbitrary vector. If the vectors in B are sufficiently orthogonal to 


one another, then the following algorithm solves CVP. 


Algorithm 4: Babai’s Algorithm 
Write w = tiv; + tevo + --- + tnvn where t1,to,...,tn € R. 
Set: @— |b) fora = 15 2,8,.4 7%: 


Return the vector v = ajvj + dovo +:+++ GnVn. 


—16 37 
Example 2.6.2. Let L C R? be a lattice given by the basis vj = and v2 = : 
37 45 
We are going to use Theorem 2.6.1 to find a vector in L that is close to the vector 
1993 : . 
w= . We can also check by computing Hadamard’s ratio 
2002 


Hora) = (204d)! 


IIvall Ilva 


46 


_ 1386 2 
~ \ (40.311) (48.466) 
x 0.842. 
This tells us that the basis {v,, v2} is fairly orthogonal. The first thing we are going to 


do is express w as a linear combination of v, and v2. We do this by performing the row 


operations such that we get reduced row echelon form (rref). So we start with the matrix 


az —16 37 1993 
37 45 2002 
and now we perform rref. 
—16 37 1993 
rref(A) =rref 
37 45 2002 
1 0 —7.473 
0 1 50.633 
So ty = —7.473 and tg = 50.633 Now we can express w as a linear combination of v; and 


v2 with real coefficients. 


w=t1vi + tove 
~16 
= —7.473 + 50.633 
37 


Now Babai’s Algorithm tells us to round t; and tz to the nearest integer such that we get 


—16 37 
V==T +51 
37 45 
112 1887 
= + 
—259] | 2295 
_ 1999 
2036 


Then v € LZ and v should be close to w. To check we compute 


\|v — w|| = 34.525. 


AT 


The distance between the two vectors is small which is what we should expect since the 


pair of basis vectors were fairly orthogonal. 


48 


Chapter 3 


Applications to Cryptography 


In this section we will discuss application of lattices to cryptography: GGH 
Cryptosystem. The overall goal of this section is to help us understand the importance 


of lattice reduction algorithms and how powerful they can really be. 


3.1 GGH Cryptosystem 


The GGH cryptosystem from Goldreich, Goldwasser and Halevi is a public key 
cryptosystem that uses the lattice theory from the previous sections. Say we have two 
individuals that want to communicate and use GGH cryptosystem to send encrypted 
messages to one another. Like any other public key cryptosystem, the process requires a 
pair of keys. The “good” basis is the the private key and the “bad” basis is the public 
key. Recall that a “good” basis meant that each pair of vectors was close to orthogonal 
and that a “bad” basis was non-orthogonal or really sheared. 

Without loss of generality let us call our two communicators Alice and Bob. 
Before Alice and Bob can start communicating, Alice must pick a “good” basis. The 
length of her basis must not be too small otherwise the eavesdropper, Eve, can decrypt 
Bob’s encrypted message. She will select large n (maybe n > 500). She will let her basis 
B = {uj,u2,...,u,} be her private key. The basis 6 will generate the lattice ZL C R”. 
We will also refer to Alice’s private key as the “good” coordinate system. Next, Alice will 
pick an x n matrix X € GL,(Z). The matrix X can be randomly generated by taking a 
nxn identity matrix and doing multiple iterations of matrix multiplication with a mix of 


n X mn upper and lower triangular matrices with diagonals of the matrices having entries 


A9 


of +1. After creating a X then Alice will compute a new basis using X and the “good” 


coordinate system, 
Me = Mp- X 


where C = {v1, Vv2,.--,;Vn} is a new basis for L by Theorem 2.2.4. Basis C is the “bad” 
basis Alice uses as her public key. We will refer to Alice’s public key at the “bad” 
coordinate system. Both the “good” and “bad” bases are given relative to the standard 
basis. 

If Bob wants to send a message to Alice, he has to pick a vector m € R” with 
integer coordinates as his plaintext. The vector m can be a binary vector, which means 
the vector can have entries of zeros and ones, but there are many ways to encode messages 
as a list of integers. Bob must also pick another small vector r to slightly move m off L. 
The vector r has to be small in the sense that it must move m off of L without moving 
it closer to another lattice point. Otherwise rounding using Babai’s Algorithm will cause 
issues for recovering plaintext m. When saying the word “small” I am referring to the 


length of the vector r. Bob thinks of his message as being in C—coordinates, 


n 
q= Mem+r= So mivi +0. 
i=1 


Therefore Mcm is the same vector, but now in standard coordinates, which will be Bob’s 
ciphertext. Bob’s message in “bad” coordinates changes to standard coordinates and 
nudges it a little bit to be off the lattice. 

All Alice has to do to decrypt Bob’s message. She does this by first computing 
Mz ‘gq, putting the ciphertext into good coordinates and then she rounds using Babai’s 
Algorithm. The “standard” coordinates ends up being u = Mem € L. Last thing she 
does from here is compute Mz 'u to end up with the ciphertext m. Here we have a table 


summarizing the GGH cryptosystem. 


50 


Alice Bob 


Key Creation 


Choose a “good” basis: 

B= {uj,us,..., up}. 

Choose a X € GL, (Z). 
Compute the “bad” basis: 

C = {v1,V2,---;Vn} where 
Me = Mp- X. 

Publish the public key C. 


Encryption 


Choose plaintext m. 

Choose random small vector 
r. 

Use Alice’s public key to com- 
pute q = mM 1Vv1,+M2V2+++++ 
MnVn +r = Mem-+r. Send 
the ciphertext to Alice. 


Decryption 


Compute Msg '4. Use Babai’s 
algorithm to compute the vec- 


tor u € L closest to q. Com- 


pute u to recover m. 


Table 3.1: GGH Cryptosystem 


Now let us look at an example of how GGH cryptosystem works in R?. 
Example 3.1.1. Let us say Alice chooses her “good” basis B = {uj, ug} with vectors 


1 2 
uy = and ug = . Now the lattice L spanned by 6 has determinant det(L) = 
2 


| det(Mg)| = | — 5| = 5. To check the orthogonality of the vectors u; and uz we use 


51 


Hadarmard’s ratio of the basis which is given by 


det(L) 2 


|u| - [uel] 


H(B) = H(uy, u2) => ( 


I 
ae 
a” Ot] Or 
NIF ed 3] on 
NiF Ol 
N_” 
NIF 


KH — 
. ee 


What this means is that the vectors of B are orthogonal since H(B) = 1. Note that in 
higher dimensions this will not always be the case but since we are working in R? it is 
easier to find a “good” basis such that we achieve orthogonality. Now that Alice has her 
“good” basis, she then needs to find a matrix X € GL2(Z). Let us say Alice finds her 


matrix 


3451 —3952 
1171 —1341 


which has determinant det(X) = 1. Alice creates her “bad” basis C by multiplying her 
“eood” basis with her X, gets 
Mc = Mp: X 


1 2 3451 —3952 
2 —-1 1171 —1341 


7 5793 —6634 
5731 —6563 
; 5793 —6634 
So our vectors for the basis C are v1 = and v2 = . 
5731 —6563 


Now Alice sends Bob her public key. Bob decides to send a message to Alice using his 


11 0 
plaintext vector m = and his random vector r = . The following ciphertext 


52 


is created 
q= Mcm+r 
=mjvi+mMmeov2 +r 


5793 ~6634 0 
+74 + 
5731 —6563}  |-1 


=11 


63723 —490916 0 
+ + 
63041 —485662 -1 


—427192 
—422621 


Alice is going to express q as a linear combination of the vectors uj and ug from the 
“good” basis coordinates relative to the “good” basis, B. So Alice will compute Mj, ‘q 


to find the corresponding coefficients. 


—2| |—427192 


1 
-1 5 
q= 
. ~2 1 | |~429621 


—254487.400 
—86352.800 


Alice can express q = tyu, + tgUg where fy, tg € R. So Alice has 


q = tu) + t2u2 


1 
= —254487.400 — 86352.800 
2 


Alice then rounds the real coefficients t; and tg such that we get integer coefficients which 


gives the closest lattice point u to q. 


1 
u = —254487 — 86353 
2 


—254487 sh dye 172706 
—508974 86353 


—427193 
—422621 


53 


Then Alice computes Mc'u since u = Mcm. 


—6563/5 —6634/5] | —427193 


Mc'u = 
5731/5 5793/5 —422621 


11 
74 


and she finds Bob’s plaintext m = 


Suppose we had an eavesdropper named Eve who wanted to decrypt Bob’s 
ciphertext. Well the only information Eve has is the public key that Alice published 
and the ciphertext Bob sent. So if Eve were to try and decode Bob’s message using the 


“bad” basis C then she would first compute Mo ‘gq. 


6563 6634 
= 427192 
Mo'q= 5 5 


5731 5793 
Sl BT 422621 


1337.800 
1232.600 


She applies Babai’s Algorithm, 
e = 1337.800v; + 1232.600vo. 
Rounding those coefficients to the nearest integer we can see that the vector 


1338 
1233 


/ 


11 
is not the correct vector m = . However, if Eve applied a lattice reduction algorithm 


she could find Alice’s private “good” basis and then find Bob’s message. This is why 
lattice reduction algorithms are so important. The algorithms can help in finding a 


“eood” basis such that we are able to break cryptosystems like GGH. 


54 


Chapter 4 


GLRA in Higher Dimensions 


In this section we will be talking about our research research. We have proposed 


and analyzed a version of GLRA works in R® for many cases. 


4.1 The Algorithm 


Gaussian Lattice Reduction in Dimension 3 (GLR3) follows the conditions for 
Gaussian Lattice Reduction in Dimension 2. We constantly need to check the projection 
scalar, mij = re such that m;,; #0 for 0 <7 <j <3. The projection scalar needs 
to be rounded to the nearest integer. We also have to make sure our column vectors in 
the 3 x 3 matrix are in the right order with column vectors having ||v;—1|| < ||v:|| for 
0 <i<n where n is the dimension of the matrix. The idea here is to project the longer 
vector onto the shorter vector and then subtract a scalar multiple of the shorter vector 
from the longer vector and replace the longer vector with the difference between the two 


vectors. What we want is to get as close as we possibly can to an orthogonal basis which 


Ee : wy 
I|vi||? 


(Size Ordering) Ilvil] < |[vj|| for al 1 < i<j <3 (4.2) 


is why the algorithm terminates when m = 0. 


(Projection Scalar) m= nn PL peas | (4.1) 


The algorithm follows a similar process to that of the Gaussian Lattice Reduction Algo- 


rithm in two-dimensions. 


59 


Algorithm 5: GLR3 Algorithm 
1 Input: Basis vectors v1, Va, v3; 
2 Compute Size Ordering (4.2); 


3 Compute Projection Scalar (4.1); 


4 while m #0 do 
5 Compute vj =v; —mx*v; /* Associated pair used to compute m 
for the computation on line 5. */ 
Compute Size Ordering (4.2); 
Compute Projection Scalar (4.1); 
6 end 


Result: [v1, v2, v3] 


We are now going to explain each section of the algorithm. We need to start 
with base cases such that we are able to run the algorithm. We need to check that the 
column vectors are in order from least to greatest, i.e, we want to make sure the length 
of the column vectors are checked such that the column vectors are put into the right 
order with the first column vector being the shortest and the column vectors following 
are slowly increasing in length such that the last column vector is the largest one in the 
matrix. We also want to initialize projection scalars for each pairwise column vectors 
such that the longer vector is being projected onto the shorter vector. Remember that 


m € Zand so each m;,; must be rounded a half down towards zero. 


Input: Basis vectors v1, v2, v3. Compute Size Ordering (4.2). Compute 


Projection Scalar (4.1). 


Next, we need to check each projection scalar m;,; such that we take the greatest 
one to be our m. Note: We are going to take the absolute value of each projection scalar 
such that we take the biggest value. Next we need to run a Boolean loop such that we 
continue to run the algorithm as long as m 4 0. While this statement is true we need 
to make sure the associated projection scalar is being used for the correct pair of column 
vectors in each equation for each case. What we want from the while loop is to reduce the 


size of the longer vectors and then swap them when necessary. Then continue to run the 


56 


loop. We continue to check the lengths of each vector such that we maintain the order of 


while m # 0 do 

Compute vj = vj; —m* Vj ; /* Make sure that the associated 
vectors from (4.1) are being used for the computation on 
line 5. */ 


Compute Size Ordering (4.2); 


Compute Projection Scalar (4.1); 
end 


Result: [v1, v2, v3] 


column vectors to be from least to greatest. Then again recompute the projection scalars 
for each pair of new vectors as done in the while loop above and take the biggest scalar. 

Once the condition is no longer satisfied, then the algorithm terminates and 
returns the column vectors vj,v2 and v3 with ||vi|| < ||v2|| < |/vs||. This will be the 


“better” basis. 
Conjecture 4.1.1. This code will terminate. 


In all of our trials the algorithm has terminated and gave us an output of a 
reduced basis in R?. The propositions used to prove the termination of GLRA are not ap- 
plicable here. Although the computations are similar, trials have shown that Proposition 


2.5.2 and Proposition 2.5.5 do not hold for all cases in the GLR3 Algorithm. 


Theorem 4.1.2. If the GLR3 Algorithm terminates, then it will produce a shortest vec- 


tor. 


Proof. Suppose the algorithm for GLR3 terminates and returns a “good” basis with 


vectors V1, V2 and v3. This means that ||vi|| < ||ve|| < ||v3]| and m = ay < $ where 


1<i<j<3. Now suppose v € L is any nonzero vector then we can express v as 
V =a vj + Gove + a3V3 where aj, G2, a3 € Z. 
Then we get 


IIv|l? = |larva + aave + agval|? (4.3) 


57 


= (avi + A2V2 + A3V3,A1V1 + A2V2 + a3V3) (4.4) 


a ai(v1,V1) + a1a2(V1 + V2) + a143(V1 - V3) + a1a2(V1 + V2) + a3(Vv2, V2) 


+a203(V2 - V3) + a143(V1 - V3) + a2a3(Vv2- v3) + a3(v3, V3) 


= a?||v4||? + 2a1a2(vq - V2) + 2a1a3(v1- v3) + a3||v9l|? 


oe a (4.5) 
+2a2a3(v2 - v3) + a3||v3l| 
> a}||vil|? — 2|a1a9| - |v - v2| — 2lara3| - [vi - v3] + a3] [vel]? (4.6) 
—2\aza3| - |v2 - v3| + a3] |v3||? 


> az ||vil|? — |arag| - |}vil|? — Jaras| - [vil]? + @3||vall? — Jazas| - ||val|? + a3] [v3]? 
(4.7) 

> aj||vil|? — |arag] - ||vil|? — Jaras| - |]val|? + a3] /vi||? — Jazas| - ||vil|? + @3||vil|? 
(4.8) 

= (aj — |a1a9| — |aya3| + a3 — |aga3| + a3)||va] |? (4.9) 


When moving from equation (4.3) to (4.5) we are just rewriting the length of the vector 
in bilinear expansion form. From equation (4.6) to (4.7) we remove the 2’s since m < 3. 
Then from equation (4.7) to (4.8) we substitute ||v2|| and ||v3|| with ||vi|| since ||vi|| < 
||v2|| and ||vi|| < ||v3||. Finally, from (4.8) to (4.9) we just factor out ||v1||.. Now we 
want to show that (a? — |a1a9| — |a,a3| + a3 — |a2a3| + a3) > 0 since we know ||v|| > 0 by 


Proposition 2.3.5. Let |a,| = t1, |a2| = te and |a3| = tz where ty, to, t3 € R. Then 


ae _ |a,a9| — |a,a3| + as _ |a2a3| + aa _ i tytg — t1t3 4 i tot3 4 ie 


Case 1: 


As long as the ¢;’s are not all equal then we will now prove t? — tytz —tyt3 + t3 — tats + ¢3 is 
positive. Let f(t1, to, t3) = t? — tite — tits + t3 — tots + ts We want to analyze the critical 
points of the function. First we are going to determine the critical points of the function. 
Then we are going to apply the second partial derivative test. Since we are working in 
R? we need to use tools from multivariable calculus [EJ92, Theorem 7.5]. First we take 


the first partial derivatives: 


58 


The gradient vector is 


a a 
Vf=|-1. 2 =1) lel. (4.10) 


Fa 2] [a 


Finding the critical points is the same thing as finding the null space of this matrix. Now 
we want the matrix in reduced row echelon form (rref) so that we can determine the 


critical points. 


2 —-l1 -1 1 0 -l 
rref a a =" )Or 21 
=] =]: °2 0 0 O 


Since the first two rows have a leading 1 for the entries and the third row is free, this 


means that our linear equations are 


t; —t3 =0 


tg —tz =0 


where ¢, and tg are the pivot variables and t3 is our free variable. Now taking it a step 


further our solution set is 


ty = tg 
to = ts 
t3 = t3 
It follows that null space is, 
1 
t {1 tEeR 


59 


Interpreting this in our multivariable calculus problem, our critical points are when ty = 
to = tg for all real numbers. 
Now we take the second partial derivatives of f as the entries of the Hessian matrix 


denoted H(t1,t2,t3). Then the Hessian matrix will be 


a? f Cai a f 


Ot? = Ot Otz_——«Ot Og 2 -l -l1 
Saleen J0ip* aide Mx 
H(ti,t2,t3)= |onan OF  dindts ee Sy 
a? f oy a f = 
Ot30t1 Ot30t2 at2 1 1 2 


Since the Hessian matrix does not vary with t,,t2 and tz then we may write it as H. 
Observe this matrix happens to be the same matrix when we were analyzing Vf. Now 
we look at the eigenvalues of each critical point to determine if it is positive definite, 
negative definite or a saddle point. To find the eigenvalues of the matrix we start by 


finding the determinant of the matrix. 


AHA-\T= 1 2—- 1 | where Z is the identity matrix. 
Xr 


This determinant is the cubic polynomial \? — 6\? + 9A = \(A — 3)": The eigenvalues of 
the Hessian matrix are A = 0,3,3. This tells us that the Hessian matrix is positive semi- 
definite. So we need to further analyze what is happening at each of the critical points. 
We now must find the eigenvector for each eigenvalue, this will help us in determining 


whether the function is moving in the positive or negative direction. If \ = 0, then 


2 0 1 1 0 E —1 -1)0 1 0 -l 0 
A=0: 1 2-0 1/0} =]-1 2 —-1);0} ~ JO 1 —-1}0]. 
1 1 2-—0)]0 -1 -l 210 0 0 O ' 


The eigenspace is then 


1 
E,:= i :tER}, (4.11) 


60 


1 


which in turn tells us an eigenvector for \ = 0 is |1|. Now we do the same process for 


iu 


A = 3. The new matrix will be 


2-3 1 1 |0 -1 -l1 -1)0 1 1 1/0 
A=3: 1 2-3 1 |0) = 1 1 1);0} ~ |0 O OF0 
1 1 2-—3)0 -1 -l1 -1)/0 0 0 00 


Now we have one pivot variable t, and two free variables tz and tz. So the solution set is 


t] = —to — t3 
tg = tg 
ts = ts. 


Then the eigenspace is 


ol Ly 


A convenient eigenvector basis associated to = 3 is | 1 | and! 0 |. 


0 iL 
When the eigenvalue \ = 0, the function is neither increasing or decreasing in the direction 


of Ey (4.11). A quick computation will show that the output is 0 on FE}. 
CA) es ae ae et ee (4.13) 
= 0. (4.14) 
Since the other eigenvalues are positive, for any point on the critical line, if you are not 


moving in the direction of the critical line then you must be increasing. Figure 4.1 depicts 


this phenomenon at the critical points. The actual figure is in R® and therefore the graph 


61 


Figure 4.1: Critical Line of f 


Figure 4.2: Paraboloid of f 
Figure 4.3: Eigenspaces of f 


of the function is in R*. We can not picture the actual graph but we can take slices of 
it as depicted in Figure 4.1, Figure 4.2 and Figure 4.3. All points on the critical line are 
minimum points, which means that the value of the function at that point is less than 
or equal to the value of any other point near or on the critical line. Therefore as long as 
t; Ato €t3 then f(t), te,t3) > 0. Since aj, ag and a3 are integers and not all equal then 
lIvll > llvill. 

Case 2: Now if |a1| = |a2| = |a3| then we have to take a slightly different approach. Well 
we know that ||v|| > 0 by proposition 2.3.5. Since we are looking for a shortest non-zero 
vector a1, a2 and ag can not be 0. Let |ai| = |a2| = |a3| = a where a € Z. Let e¢; = +1 


where 1 <i <3. We then rewrite the vector v as 


IIv||? = |laervi + aeagve + ae3vs||? (4.15) 


62 


= lal? -|lervi + €2V2 + €3V3||° 


= |a|? . ae.) + €1° €2(v1 . V2) + €,° €3(V1 . v3) + €1° €2(v1 . V2) 


+63 (v2, V2) + €2- €3(v2- v3) + €1 - €3(V1 - V3) 


+e2 - €3(v2- v3) + (v3, va) 


= |al?- [ailvulP + 2(e1 + €2)(vi» v2) + 2(e1 - €3)(Vi - V3) + Sl] vel? 


(4.16) 
Co rie val 
> lal? - [ailvul? + (€1 + €2)(v1 + v2) + (er - €3)(v1 - v3) + || vel |? 
(4.17) 
+(€2 + €3)(V2-Vv3) + dival?| 
> al? [ailval? +(e, -€2)|Ivall2 + (er -ea)|Ivill2 + lla 
(4.18) 
+(e) - €3)|Ivall? + dival?| 
> al? [dilvalP +(e, -€2)|Ivall2 + (2 3)|Ivall2 + Bl lvil 
(4.19) 
+(e) €3)|Ivil|2 + dlivilP| 
= |al?. a+ (a-a)+-a)+d+(a-a)+4| “| vil 2 
ee 3 Perea: 7) Alvill? (4.20) 


First, from (4.15) to (4.16), we are just substituting a1, a2 and a3 with the variable a 
and we use bilinear expansion and combine like terms. Third, when moving from (4.16) 
to (4.17) we remove the 2’s since m < §. Fourth, from (4.17) to (4.18) we replace the 
first two dot products with ||vi||? and the third dot product with ||v||? since m = ae 
where 1 <i < j < 3. Next, from (4.18) to (4.19) we substitute ||va||? and ||v3||? with 


\|vil|? since ||vz|| < ||val| and ||vi|] < |/v3||. Last, from (4.19) to (4.20) we factor out 


||vi||? and add up all our ¢;’s and e? = (+1)? = 1. Now, without loss of generality, 


consider [3 + (€1 - €2) + (€1 - €3) + (€2- €3)| 


geal eB (epy (1 4 0S 81 HS. (4.21) 


63 


The result will be the same if we allow either €2 or €3 to also equal —1 for (4.21). 


ep Seg Ss Bana) eel) en) 


(4.22) 
= (3+1-—1-1] =2. 
The result will be the same for any pair of €;’s equal to —1 for (4.22). 
eS omg cal bat bela epaR ta) (4.23) 


=[8+1+1+1)=6. 


The result will be the same if all €;’s were equal to 1 for (4.23). Now what this tells us is 
that the inequality is either going to be ||v|| > 2a?||vi|| or ||v|| > 6a?||vi||. Which tells 


us since 2a”, 6a? € Z and cannot be 0 unless |a,| = |a2| = |a3| = 0 then v, is the smallest 


nonzero vector in the lattice. 


64 


4.2 Analysis 


The GLR3 Algorithm shows promise in working in three-dimensions. We have 
yet to find a matrix for which it fails in three-dimensions. Further analysis is required. 
Perhaps it fails to generalize in higher dimensions. We speculate that since the computa- 
tions require an additional step since we are taking m to be the maximum of all projection 
scalar coefficients, it may be the case that the time complexity of this algorithm in higher 
dimensions might be slow compared to the other lattice reduction algorithms. We can 
compare the reduced “good” basis to the a LLL reduced “good” basis in three-dimensions 
to see if there is a difference. We can do this by comparing the Hadamard ratio of each 
basis. For this comparison we will be referring to Example 2.5.12 and using those same 
vectors to find the reduced “good” basis using GLR3. Recall the basis, B, with basis 

1 a 3 
vectors from Example 2.5.12 are bj = |1|] ,bo = | 0 | ,b3 = [5]. Applying GLR3 to 


Hole} 


the matrix 


We have to following reduced basis matrix 


b+ 


ai 0 ‘ed 


nou 
ps | 


Notice that the reduced matrix M; B has the first two columns similar to the M@ Bee: When 


0 -l1 1 


we say similar, we mean that the vectors are on the same line. The only difference is the 
—1 
last column vector for the LLL reduced basis was | 0 | and the last vector in the GLR3 
>| 
—2 
reduced basis is | 0 |. If we check the Hadamard ratio of the reduced basis for GLR3, 


ea 


65 


then we get 


ae det (L) 3 
H(Mg) = Ca - ||bel| - ma) 


3 3 
7 (aa) 
= 0.9826 


Which is the same as the H(M§"”) ~ 0.9826. 


oO} |-1] |-2 O) fal et 
Figure 4.4: Mz: 11,/0],]/ 0]. Figure 4.5: Mg": 1]. /o],] 0 
O| |-1 oO} |1 2 


Similar to GLRA, the GLR3 Algorithm reduces the size of the vectors by looking 
at each pair of vectors and then removing an integer scalar of one vector from the other. 
The rounding is done the same as in GLRA where m is rounded a half down towards 
zero. Unlike in LLL where the Gram-Schmidt coefficient is rounded to the nearest integer. 


GLR3 is similar to GLRA, the only difference is that GLR3 works in three-dimensions. 


66 


4.3 Examples 


In this section we will provide several examples using GLR3. We will start off 


with a simple example first to explain what is happening at each step. 


Example 4.3.1. Let B € R® be a basis with basis vectors 


2 1 2 
vi = | 1) ,V2= ]2] ,v3 = |-3 
3 0 —5 


Let L be a lattice generated by the basis 6. We will now apply the lattice reduction 
algorithm GLR3. The first thing that is going to happen in the algorithm is put the 
length of the vectors in order from least to greatest. After the vectors are ordered, we 


will then compute m for each distinct pair of vectors. 


GLR3 Algorithm 
Steps V1 v2 V3 ™1,3 ™2,3 ™y1,2 m 
1 (2,1,3) (1,2,0) (2,-3,-5) * =| 1 -1 
2 (1, 2, 0) (2,153) (3, -1,-5) 0 ei 1 “i 
3 (1, 2, 0) (2, 1, 3) (5, 0, -2) 1 0 1 1 
4 a0..0) (2; 1,3) (A 20" 1150 0 i 1 
5 (9:0) (aie) (4; 22-9). | 0 0 0 0 
In step 1 we compute ™m 1,3, 2,3, ™1,2 and take 
_ Ivi-val]l]., 2524 
m = max 5 :1l<i<jg<3>. 
Ilva 
Since |m1,3|] = |m2,3| = |m1,2| = 1, then we are going to take m = m2,3 = —1. So for our 


next set of vectors in step 2 we subtract v3 = v3 — mvp from step 1. Notice in step 2 that 
vectors v1, V2 swapped positions since ||va|| < ||vi||. In step 2 we then again compute 
M1,3,™M2,3,7™1,2 and set m = m23 = —1. Next we compute v3 = v3 — mv2. Notice in 
step 3 that no two vectors swapped positions since the vectors remain in order from least 
to greatest. Step 3 we continue with the iteration and set m = m 3 = 1. Then compute 


V3 = V3 — mv. Step 4 we set m = m1,.2 = 1 and compute v2 = v2 — mvj. Step 5 the 


67 


algorithm terminates since m1,3 = m2,3 = m1,2 = 0. Thus the vectors in step 5 are the 


reduced basis vectors for the lattice L. 
We will now compare the Hadamard ratios of the original basis matrix and the 


reduced basis matrix. 


ale 


ges ( det(L) 


IIvall - [val] - [val] 


7 ( ~36 , 
3-7 14-34 
= 0.8193. 


Wl 


oie ( det(L) y 


[Ivall - Ilvall - [val] 


= 0.9223. 


We can see with the Hadamard ratio, that the original matrix Mg is fairly close to 
orthogonal, but after computing the Hadamard ratio for the reduced matrix Mz we can 


see that the reduced basis is better. 


We will now look at examples with bigger iterations and compare the orthogo- 


nality of the original basis matrix with the reduced basis matrix. 


Example 4.3.2. Let L be a lattice and let C be a basis for L with basis vectors 


| 9 | leew ba 
vi=|-19!,v2= |! 14 |,v3= 1! 60! . 
|-17| —24 | s3| 
Now we apply GLR3 and the reduced basis vectors are 
Ns el aged 
v= 0 vo = —l Ve= Dsi| os 
Next we compare the Hadamard ratios of both bases. 


det(L) 3 


IIvall - IIvall - [val] 


H(Mc) = ( 


68 


6 3 
(oe | 
~ 0.0122. 


aise det(L) )’ 


IIvall- [val - [val] 


- (ara) 


~ 0.9635. 


The algorithm terminated after 30 iterations. The H(M) has reduced basis vectors that 


are pairwise fairly orthogonal unlike the initial basis vectors we started with. 
Example 4.3.3. Let DL be a lattice and let # be a basis for L with basis vectors 
21697 —8604 6732 
vi = | —91776 | , v2 = | 36396 | , v3 = | —28473| . 
—134348 53278 —41682 


Now we apply GLR3 and the reduced basis vectors are 


1 0 0) 
Vic=" 10) ver= 1901 be: 8 
0 —2 0 


Next we compare the Hadamard ratios of both bases. 


det(L) 3 


[val] - [val IIvsll 


H(Mz) = ( 


i 
3 


6 
7 (a - 2\/1059310729 - Eas) 
~~ 0.00002. 


eed, det(L) 5 
aca (ra “[Ivall ra) 


1 
6 3 
=(735) 


=1. 


69 


The algorithm terminated after 45 iterations. Notice in this particular example we were 
able to get the H(M’,) = 1. This means that the reduced basis vectors are pairwise 


orthogonal. 


Let us try the same set of vectors from Example 4.3.3 and apply the LLL Algo- 
rithm. The LLL reduced basis would then be 


j 0 ‘| 
ME = 16.02 8: 


an 


Next we determine H(M ere) and compare it to H(M‘,). 


H( MEH) = ( det(L) is 


[Ivall - [val - [val 


1 


- (Gym) 


~ 0.9826. 


From Example 4.3.3, our GLR3 Algorithm actually returned a much better basis since 
H(M,) =1 


70 


Chapter 5 


Conclusion 


The point of this project was to apply a well known algorithm, the Guassian 
Lattice Reduction Algorithm in two-dimensions and see if it was applicable in three- 
dimensions. Before we could get there we had to discuss several topics in linear algebra 
that helped us better understand how and why these lattice reduction algorithms worked. 
There were important theorems that were stated and proved which better helped us un- 
derstand certain concepts not just in linear algebra but in lattice reduction algorithms 
too. Minkowski’s Theorem gave us a region in which we could find a shortest vector. 
Hermite’s Theorem gave us an upper bound for the length of a shortest vector. We dis- 
cussed the two different types of lattice reduction algorithms providing their psuedocode 
and examples for each. We discussed the importance of lattice reduction algorithms in 
breaking lattice based cryptosystems. 

When introducing the new algorithm GLR3, we not only provided psuedocode 
but broke down what was happening at each step. We provided a conjecture that the 
algorithm terminates and provided a reduced basis in R?. We had to use some calculus in 
the proof for finding a shortest vector in GLR3. It was interesting to see how calculus and 
linear algebra topics were used in the proof. We worked with programming, in particular 
all of the algorithms were coded up using SageMath. Another useful tool was GeoGebra, 
which helped in creating all of the figures in this thesis. GeoGebra was also used to help 
generate lattices in both R? and R?. We used the figures to help us visualize certain topics 
in linear algebra using geometry. GeoGebra also helped in visualizing certain pieces for 


several proofs throughout the thesis. 


71 


In the future we would like to see if GLRA in two-dimensions can be generalized 
to work for any dimension n. If so, then the next thing would be to prove that the algo- 
rithm will terminate in those higher dimensions and that the output provides a solution 
to SVP. Then we would like to determine its time complexity and prove that as well. We 
would then compare the time complexity to the time complexity of the LLL Algorithm. 
The project indeed opened our eyes to the mathematics used in cryptography. Some open 


questions: 


Open Question 5.0.1. Can we characterize the lattices or bases for which GLR3 ter- 


minates? 


Open Question 5.0.2. For what lattices or bases does GLR38 fail and can those bases 


or lattices be characterized? 


Open Question 5.0.3. If GLR3 does fail, can the algorithm be improved upon such 
that it does not fail? 


Open Question 5.0.4. Can GLR3 be generalized to work for any dimension n? 


72 


Bibliography 


[Ax115] 


[EJ92] 


[Gal12] 


[HPS16] 


[MVZJ18] 


Sheldon Axler. Linear Algebra Done Right. Springer International Publishing, 
2015. 


C.H. Edwards Jr. Advanced Calculus of Several Variables. Academic Press, 
New York, 1992. 


S. Galbraith. Mathematics of Public Key Cryptography. Cambridge University 
Press, Cambridge, 2012. 


J Hoffstein, J. Pipher, and J.H. Silverman. An Introduction to Mathematical 
Cryptography. Springer-Verlag, New York, 2016. 


V Mavroeidis, K Vishi, M. D. Zych, and A Jgsang. International journal of 
advanced computer science and applications. The Impact of Quantum Com- 


puting on Present Cryptography, March 2018. 


